Does GDPR Apply to US Companies? What You Need to Know

We’re more than a year into the era of the EU GDPR (General Data Protection Regulation). However, organizations across North America still struggle to understand how and if the Regulation applies to them.

Understandably, many companies outside the EU wouldn’t have been keeping an eye on the GDPR, but they must realize its scope is vast. It may be a European law, but anyone in the world might be affected.

That’s because the GDPR applies to any organization that offers goods and services to, or monitors the behavior of, EU residents.

If your organization does either of these things and hasn’t adapted its processes accordingly, you could be in trouble. Under the Regulation, non-compliant organizations can face fines of up to €20 million (about $22 million) or 4% of their annual global turnover.

So how does the GDPR affect US companies?

Will I really be fined?

It’s easy for North American organizations to think that the GDPR isn’t something they will have to deal with.

The territorial scope of the Regulation remains murky. It’s hard to see an EU regulator having the wherewithal to investigate an organization on the other side of the Atlantic, particularly when it’s difficult enough to look into the practices of domestic organizations.

Until a few weeks ago, there were plenty of GDPR skeptics in the EU as well. They claimed that the Regulation was intended to scare organizations into submission but ultimately wouldn’t lead to anything.

But then the Information Commissioner’s Office, the UK’s data protection watchdog, issued fines against British Airways and Marriott International totaling more than $340 million.

Meanwhile, the Irish Data Protection Commission continues to probe Facebook and Google, and thousands of other investigations across Europe are underway.

So the GDPR is indeed active, and plenty of organizations are being made to pay for their hubris. Do you really want to be next?

The GDPR by another name

Even if you aren’t required to comply with the GDPR in North America, you may well be subject to a similar law.

Governments across the globe are waking up to the reality that effective security is essential for businesses to prosper.

In the past year, several governments drafted data privacy legislation that mirrors critical elements of the GDPR. For example:

  • Brazil’s Federal Senate approved a Data Protection Bill with requirements around the appointment of a DPO (data protection officer), establishing a legal basis for processing personal data and emphasizing privacy by design.
  • Kenya passed a data protection bill that requires organizations to conduct data protection impact assessments before processing personal information that could risk the rights and freedoms of data subjects.
  • India’s Supreme Court recognized the right to privacy as fundamental. The government subsequently issued a bill requiring appointments of DPOs and establishing limitations on data retention and the processing of sensitive personal data.

In the U.S., New York, and California recently passed wide-reaching data protection and privacy laws.

The California Consumer Privacy Act expands the definition of personal information (especially when compared to other U.S. state laws) to include Internet activity information.

Meanwhile, New York’s SHIELD (Stop Hacks and Improve Electronic Data Security) Act strengthens the state’s data breach notification requirements.

As well as expanding the definitions of ‘private information’ and ‘security breach,’ the Act lists additional security controls that organizations must implement.

Your organization should be reaching similar conclusions about the importance of data protection, because data breaches will be costly whether you are subject to regulatory action or not.

Ponemon Institute’s 2019 Cost of a Data Breach report found that, on average, security incidents set organizations back $3.92 million.

Things are even worse in the U.S., which is the most expensive country in the world for data breaches, with incidents costing $8.19 million on average.

How should you proceed?

Regardless of where you operate, you will likely feel the effects of the GDPR, directly or indirectly.

If the Regulation applies to your organization, you should begin your compliance efforts immediately.

Where to start with GDPR compliance >>

If it doesn’t, things aren’t as urgent. However, it’s worth checking whether any similar incoming laws will affect you. The chances are that it will use the same terminology and contain similar requirements to the GDPR.

You can use our wealth of resources dedicated to GDPR compliance to prepare your organization.

These resources are also helpful if you are interested in improving your overall data protection posture.

The GDPR’s requirements are widely considered best practices, so by following its guidance, you can be sure that you’re doing everything necessary to protect your systems and customers’ information.

Learn more about the GDPR

Whatever your interest in the GDPR, you can get to grips with its requirements with our Certified GDPR Foundation Online Training Course.

Delivered by an experienced privacy consultant, this one-day course gives you a comprehensive introduction to the Regulation’s requirements, how they work, and why they are in place.

Find out more >>

A version of this blog was originally published on August 17, 2018.